基于docker的开源堡垒机jumpserver的安装与实践
官方资源
主机节点准备
redis-server 10.1.100.1
mysql-server 10.1.100.2
jumpserver-server 10.1.100.3
coco-server 10.1.100.4
guacamole-server 10.1.100.5
准备部分参数
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
SECRET_KEY rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
BOOTSTRAP_TOKEN tskMDJsbgxRc6WAx
DB_HOST 10.1.100.2
DB_PORT 3306
DB_USER jumpserver
DB_PASSWORD jumpserver
REDIS_HOST 10.1.100.1
#不设置密码
REDIS_PASS
注意数据库jumpserver访问权限
构建jumpserver镜像及运行
书写内容
Dockerfile
FROM centos:7
RUN yum -y update && \
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
RUN yum -y install wget gcc epel-release git python36 python36-devel
RUN mkdir -p /opt/ && cd /opt && \
python3.6 -m venv py3 && source /opt/py3/bin/activate
WORKDIR /opt
RUN git clone --depth=1 https://github.com/jumpserver/jumpserver.git && cd jumpserver/requirements && \
yum -y install $(cat rpm_requirements.txt)
RUN source /opt/py3/bin/activate && pip install --upgrade pip setuptools
RUN source /opt/py3/bin/activate && pip install -r jumpserver/requirements/requirements.txt
#root init
#RUN DB_PASSWORD=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24` && echo -e "\033[31m 你的数据库密码是 $DB_PASSWORD \033[0m" && \
# mysql -h${DB_HOST} -uroot -p${DB_PASSWORD} -e "create database jumpserver default charset 'utf8'; grant all on jumpserver.* to 'jumpserver'@'%' identified by '$DB_PASSWORD'; flush privileges;"
RUN cp /opt/jumpserver/config_example.yml /opt/jumpserver/config.yml
COPY nginx.repo /etc/yum.repos.d/nginx.repo
RUN yum -y install yum-utils && yum makecache fast && \
yum install -y nginx && rm -rf /etc/nginx/conf.d/default.conf && systemctl enable nginx
COPY jumpserver.conf /etc/nginx/conf.d/default.conf
RUN wget https://github.com/jumpserver/luna/releases/download/1.4.9/luna.tar.gz && tar zxf luna.tar.gz && rm -rf luna.tar.gz
ARG DB_HOST=127.0.0.1
ARG DB_PORT=3306
ARG DB_USER=
ARG DB_PASSWORD=
ARG REDIS_HOST=127.0.0.1
ARG REDIS_PASS=
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
ARG SECRET_KEY=rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
ARG BOOTSTRAP_TOKEN=tskMDJsbgxRc6WAx
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 24`
ARG DB_PASSWORD=
COPY start.sh start.sh
RUN chmod +x ./start.sh
EXPOSE 80 8080
ENTRYPOINT ["./start.sh"]
jumpserver.conf
注意:该文件中location语句块proxy_pass根据实际情况变更
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
client_max_body_size 100m; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/jumpserver/data/; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static/ {
root /opt/jumpserver/data/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://10.1.100.4:9131/socket.io/; # 如果coco安装在别的服务器, 请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#access_log off;
}
location /coco/ {
proxy_pass http://10.1.100.4:9131/coco/; # 如果coco安装在别的服务器, 请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://10.1.100.5:9132/; # 如果guacamole安装在别的服务器, 请填写它的ip
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#access_log off;
}
location / {
proxy_pass http://localhost:8080; # 如果jumpserver安装在别的服务器, 请填写它的ip
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
start.sh
#!/bin/bash
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /opt/py3/bin/activate
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
sed -i "s/SECRET_KEY:/SECRET_KEY: $SECRET_KEY/g" /opt/jumpserver/config.yml
sed -i "s/BOOTSTRAP_TOKEN:/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/jumpserver/config.yml
sed -i "s/# DEBUG: true/DEBUG: false/g" /opt/jumpserver/config.yml
sed -i "s/# LOG_LEVEL: DEBUG/LOG_LEVEL: ERROR/g" /opt/jumpserver/config.yml
sed -i "s/# SESSION_EXPIRE_AT_BROWSER_CLOSE: false/SESSION_EXPIRE_AT_BROWSER_CLOSE: true/g" /opt/jumpserver/config.yml
sed -i "s/DB_HOST: 127.0.0.1/DB_HOST: $DB_HOST/g" /opt/jumpserver/config.yml
sed -i "s/DB_USER: jumpserver/DB_USER: $DB_USER/g" /opt/jumpserver/config.yml
sed -i "s/DB_PASSWORD: /DB_PASSWORD: $DB_PASSWORD/g" /opt/jumpserver/config.yml
sed -i "s/REDIS_HOST: 127.0.0.1/REDIS_HOST: $REDIS_HOST/g" /opt/jumpserver/config.yml
sed -i "s/# REDIS_PASSWORD:/REDIS_PASSWORD: $REDIS_PASS/g" /opt/jumpserver/config.yml
echo -e "\033[31m 你的DB_HOST是 $DB_HOST \033[0m"
echo -e "\033[31m 你的DB_USER是 $DB_USER \033[0m"
echo -e "\033[31m 你的DB_PASSWORD是 $DB_PASSWORD \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
echo -e "\033[31m 你的SECRET_KEY是 $SECRET_KEY \033[0m"
echo -e "\033[31m 你的BOOTSTRAP_TOKEN是 $BOOTSTRAP_TOKEN \033[0m"
nginx
chmod +x /opt/jumpserver/jms && /opt/jumpserver/jms start all
构建命令
1 | docker build -t jumpserver:v1.0 . |
运行命令
1 | docker service create |
构建coco镜像及运行
书写内容
Dockerfile
FROM centos:7
RUN yum -y update && \
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
RUN yum -y install wget gcc epel-release git python36 python36-devel
RUN mkdir -p /opt/ && cd /opt && \
python3.6 -m venv py3 && source /opt/py3/bin/activate
WORKDIR /opt
RUN git clone --depth=1 https://github.com/jumpserver/coco.git && cd coco/requirements && \
yum -y install $(cat rpm_requirements.txt)
RUN source /opt/py3/bin/activate && pip install --upgrade pip setuptools
RUN source /opt/py3/bin/activate && pip install -r coco/requirements/requirements.txt
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`
ARG SECRET_KEY=rjiVvmKJcNF5CNjeocwooBFjI7KetU2yrQhRmuW2TXVWzoe16m
#`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`
ARG BOOTSTRAP_TOKEN=tskMDJsbgx
ARG JUMPSERVER_SERVER=http://localhost:8080
COPY start.sh start.sh
RUN chmod +x ./start.sh
EXPOSE 5000 9122
ENTRYPOINT ["./start.sh"]
start.sh
#!/bin/bash
source /opt/py3/bin/activate
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
if [ ! -f "/opt/coco/config.yml" ]; then
cp /opt/coco/config_example.yml /opt/coco/config.yml
sed -i "s/BOOTSTRAP_TOKEN: <PleasgeChangeSameWithJumpserver>/BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN/g" /opt/coco/config.yml
sed -i "s/# LOG_LEVEL: INFO/LOG_LEVEL: DEBUG/g" /opt/coco/config.yml
sed -i "s/# SSHD_PORT: 2222/SSHD_PORT: 9122/g" /opt/coco/config.yml
sed -i "s#CORE_HOST: http://127.0.0.1:8080#CORE_HOST: ${JUMPSERVER_SERVER}#g" /opt/coco/config.yml
fi;
if [ ! -f "/opt/coco/data/keys/.access_key" ];then
mkdir -p /opt/coco/data/keys
echo "" > /opt/coco/data/keys/.access_key && chmod 755 /opt/coco/data/keys/.access_key
fi;
chmod +x /opt/coco/cocod && /opt/coco/cocod start -d
tail -f /dev/null
构建镜像
1 | docker build -t coco:v1.0 . |
运行
1 | docker service create |
构建guacamole镜像及运行
书写文件
Dockerfile
FROM centos:7
RUN yum -y update && \
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
RUN yum -y install wget gcc epel-release git python36 python36-devel
RUN mkdir -p /opt/ && cd /opt && \
python3.6 -m venv py3 && source /opt/py3/bin/activate
WORKDIR /opt
RUN rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro && \
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm && \
yum -y localinstall --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-7.noarch.rpm
RUN yum install -y java-1.8.0-openjdk libtool
RUN yum install -y cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel
RUN yum install -y ffmpeg-devel freerdp-devel freerdp-plugins pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel ghostscript && \
ln -s /usr/local/lib/freerdp/*.so /usr/lib64/freerdp/
RUN yum -y install gcc automake autoconf libtool make
RUN git clone --depth=1 https://github.com/jumpserver/docker-guacamole.git && cd /opt/docker-guacamole/ && \
tar -xf guacamole-server-0.9.14.tar.gz && cd guacamole-server-0.9.14 && autoreconf -fi && \
./configure --with-init-dir=/etc/init.d && make && make install && cd .. && rm -rf guacamole-server-0.9.14 && \
ldconfig
RUN mkdir -p /config/guacamole /config/guacamole/lib /config/guacamole/extensions && \
ln -sf /opt/docker-guacamole/guacamole-auth-jumpserver-0.9.14.jar /config/guacamole/extensions/guacamole-auth-jumpserver-0.9.14.jar && \
ln -sf /opt/docker-guacamole/root/app/guacamole/guacamole.properties /config/guacamole/guacamole.properties && \
cd /config && \
wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.40/bin/apache-tomcat-8.5.40.tar.gz && \
tar xf apache-tomcat-8.5.40.tar.gz && \
rm -rf apache-tomcat-8.5.40.tar.gz && \
mv apache-tomcat-8.5.40 tomcat8 && \
rm -rf /config/tomcat8/webapps/* && \
ln -sf /opt/docker-guacamole/guacamole-0.9.14.war /config/tomcat8/webapps/ROOT.war && \
sed -i 's/Connector port="8080"/Connector port="8080"/g' /config/tomcat8/conf/server.xml && \
sed -i 's/FINE/WARNING/g' /config/tomcat8/conf/logging.properties && \
cd /config && \
wget https://github.com/ibuler/ssh-forward/releases/download/v0.0.5/linux-amd64.tar.gz && \
tar xf linux-amd64.tar.gz -C /bin/ && \
chmod +x /bin/ssh-forward
COPY start.sh start.sh
RUN chmod +x ./start.sh
EXPOSE 8080
ENTRYPOINT ["./start.sh"]
start.sh
#!/bin/bash
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8 && echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /opt/py3/bin/activate
export JUMPSERVER_SERVER=$JUMPSERVER_SERVER
echo "export JUMPSERVER_SERVER=$JUMPSERVER_SERVER" >> ~/.bashrc
export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN
echo "export BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc
export JUMPSERVER_KEY_DIR=/config/guacamole/keys
echo "export JUMPSERVER_KEY_DIR=/config/guacamole/keys" >> ~/.bashrc
export GUACAMOLE_HOME=/config/guacamole
echo "export GUACAMOLE_HOME=/config/guacamole" >> ~/.bashrc
/etc/init.d/guacd start
sh /config/tomcat8/bin/startup.sh
tail -f /dev/null
构建镜像
1 | docker build -t guacamole:v1.0 . |
运行
1 | docker service create |
访问jumpserver
浏览器访问http://10.1.100.3,默认用户admin及密码admin